Information Technology Reference
In-Depth Information
successful authentication, it will also test for their possession of their mobile
phone at that point in time, and grant access only if they can prove it.
For this to work, the user will have to have been provisioned earlier on in the
IAM database with their mobile phone number as an important attribute. As
soon as CAS successfully authenticates the user against the LDAP directory, it
retrieves the user's mobile phone number from the database. It also
generates a One-Time Token (OTT), e.g., a random number of (say) 6 digits,
stores the OTT temporarily in the database against the user record along
with a timestamp, and sends the OTT to the user's mobile number through
an SMS gateway. It then displays a second screen to the user prompting
them to enter the OTT. (This is the simple Spring Web Flow customisation
we referred to). If the database has the correct mobile number and the user
is in possession of the phone at that time, they will receive the OTT as an
SMS message and can then enter it at the second screen. CAS will then
validate the OTT against the value stored in the database (checking the
timestamp to make sure the value isn't stale). If the OTT matches, it means
the user has passed the second factor test. CAS then generates its tickets
and proceeds to redirect the user's browser back to the application as
normal.
The
diagram
on
the
following
page
illustrates
the
flow
of
logic.
